Release Notes
Product Description
CipherTrust Application Data Protection for Java is a Java Cryptography Extension (JCE) provider that helps the users to integrate their Java applications with the cryptographic and key management abilities of the Key Manager. CADP for Java provides APIs (Java, REST, and SOAP) to perform cryptographic and key management operations using Key Manager.
Release Description
This release includes enhancements and bug fixes.
Enhancements
Provided cipher interoperability for FPE algorithms in SDK and WebServices. Support for Unicode is also added.
Added support for FF3-1 algorithm. This functionality is supported from CipherTrust Manager 2.14 release onward.
Support added for custom static masking formats in FPE.
Added support for key state handling for non versioned keys in the local mode.
Updated documentation to add steps to configure BCFKS keystore.
Improved the documentation for some of the properties in the
CADP_for_JAVA.propertiesfile. The same information is also updated on the Thalesdocs.
Advisory Notes
Before deploying this release, note the following high-level requirements and limitations:
Removal of
safenetcloud.warandsfbyok.warfiles form CADP for Java package: We are migrating CSEG and BYOK REST API support to open-source as integration. To handle these migrations, 8.15.0 release onward, thesafenetcloud.warandsfbyok.warfiles are not bundled with the CADP for Java package. Soon, CSEG and BYOK REST API support will be available as open-source.Jar File Version Change: The jar file version is 8.15.0.001 and the name of the file is CADP_for_JAVA-8.15.0.001.jar. Customers upgrading from previous releases must update the classpath to reflect this new name.
Downloading JCE Policy Files: The CADP for Java Provider does not include the JCE policy files required to use unlimited strength ciphers (e.g., 192- and 256-bit AES keys.) You must download the unlimited strength policy files for Java 8 implementation.
Generate and Install a Client Certificate with an IP Address: A workaround is available to generate and install a client certificate containing a client IP address into a Java key store for JCE client application use.
Key versioning and group key permission are not supported by the Key Manager device with the KMIP protocol.
Resolved and Known Issues
The following table defines the severity of the issues listed in this section.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Resolved Issues
The following issues are fixed in this release.
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-15816 | H | Fixed known vulnerabilities. |
| CADP-15888 | M | When performing AES/GCM block decryption with OpenJDK 17, an additional block is appended at the end of the output. |
| CADP-15825 | H | Decryption with GCM mode fails with OpenJDK 17. |
| CADP-14464 | M | The CADP_for_JAVA.properties file shows incorrect information about the Log_rotation parameter. |
| CADP-11432 | M | Key state handling for non-versioned keys is not supported in the local mode. |
| CADP-16439 | H | Custom key attributes can't be modified using CADP for Java WebServices. |
| CADP-16194 | H | The Connection_Timeout property is not working as expected. |
Known Issues
The following issues are known to exist in the product at the time of release.
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-16409 | M | [Remote Mode] EC encryption followed by RSA sign fails when called in same the connection. |
| CADP-16489 | M | Type of custom key attributes can't be modified using CADP for Java WebServices. |
| CADP-10355 | H | Bulk crypto operation becomes unresponsive when data size and batch size are greater than 2000. |
| CADP-10241 | H | Bulk operation with AES/CBC/PKCS5Padding returns incorrect ciphertext when batch size exceeds 375. |
| CADP-12400 | H | While retrieving global keys using the getKeys() API, CADP for Java throws Server closed connection exception. |
| CADP-9834 | H | For bulk operation, if data is null or blank, the whole batch is discarded and the operation is terminated. |
| CADP-13846 | M | [KMIP] Unable to add custom attribute. |
| CADP-13847 | M | [KMIP] Unable to delete key. |
| CADP-13848 | M | [KMIP] Crypto not working for AES/GCM. |
| CADP-13849 | M | [KMIP] Unable to perform wrap and unWrap. |
| CADP-13850 | M | [KMIP] Query operation not working. |
| PA-5194 | H | There is a difference in RSA private key export format in local and remote mode. |
| PA-5201 | H | [Local Mode] Key information returns null or NullPointerException message for retired key versions. |
| PA-5196 | H | [Remote Mode] Unable to fetch new key state information after modifying its state during the same session. |
| PAN-1802 | M | In a Multithreaded environment, Given Final Block not properly padded exception is thrown if ECB mode is used for encryption/decryption and Persistent cache is also enabled. |
| PA-4314 | M | KMIP: Authenticated user cannot Locate global keys. |
| 48382 | M | Considerations when using PKCS #5 Padding. Problem: If users attempt a chain of operations that includes two decrypt operations that use PKCS #5 padding, the chain of operations might hang because both decrypt operations wait for the doFinal() method. This scenario poses another potential issue when the user’s input data requires only one block (e.g. 8 bytes for DES and DESede, or 16 bytes for AES), with chances of the NAE server returning incorrect data. |
| 48080 | M | Key Generation Requests and Key Permissions. Problem:NAE users cannot see keys that they do not have permission to use. However, a key generation request will fail if the key already exists on the server. A user could use this behavior to discover the names of existing keys. |
Compatibility Information
Key Manager
CipherTrust Manager 2.11.1 and higher versions.
Operating Systems
CADP for Java works with most of the operating systems. It is supported on a variety of platforms, including Windows, RHEL, Solaris, HPUX, and AIX PowerPC. Not all operating system versions combinations are explicitly validated.
Supported JRE
Following JRE versions are supported in this release: Oracle Java version 8 (minimum 1.8.0_111), 10, 11 (including OpenJDK and Amazon Corretto), 12 (including OpenJDK and Azul Java), 14 (including OpenJDK), 15 (including OpenJDK), 17 (including OpenJDK), 19 (including OpenJDK), 21 (including OpenJDK) or IBM Java 8 (minimum 8.0.6.25).
Deliverables
This release includes the following components:
Software: 610-000873-005_CADP_for_JAVA-8.15.0.001.zip
Product documentation is available on Thalesdocs
CADP for Java samples are available on Github
Package for CADP for Java (Java API) is available on Maven
